HashiCorp Vault
HashiCorp Vault is the centralised secrets management system for the roche-data pipeline. All credentials, API tokens, connection strings, and sensitive configuration are stored in Vault and loaded at runtime. No secrets are committed to git or stored in environment files — Vault is the single source of truth for all sensitive data.
Connection Details
Section titled “Connection Details”| Property | Value |
|---|---|
| URL | https://vault.service.roche.com |
| Namespace | rdt-model-prd |
| Version | 1.20.4+ent (HA cluster vtl, AWS KMS auto-unseal) |
| Auth method (human) | OIDC via PingFederate |
| Auth method (CI/CD) | JWT/OIDC (zero secrets — GitHub-issued tokens) |
| Network | Roche corporate network (VPN required) |
| Access task | A00 (Foundation) |
| GitHub issue | #70 |
| CIDM group | GLOHVAULT_MODEL |
| Users | RXPMODE1, RXPMODE2 |
Environment Variables
Section titled “Environment Variables”| Variable | Source | Description |
|---|---|---|
VAULT_ADDR | Shell / CI config | Vault server URL (https://vault.service.roche.com) |
VAULT_NAMESPACE | Shell / CI config | Target namespace (rdt-model-prd) |
VAULT_ROLE_ID | GitHub Environments | AppRole role ID (per environment) |
VAULT_SECRET_ID | GitHub Environments | AppRole secret ID (per environment) |
AppRole Credentials (GitHub Environments)
Section titled “AppRole Credentials (GitHub Environments)”| Environment | Role ID |
|---|---|
| dev | d8384621-af67-6ce6-7f8b-d3e69b1a9472 |
| test | bf51590d-f724-9a08-bc33-7680f26f79a5 |
| prod | d9162e97-40c0-3271-9484-48030e236c70 |
Secret Paths
Section titled “Secret Paths”Common paths (shared across environments)
Section titled “Common paths (shared across environments)”| Path | Contents |
|---|---|
secret/common/project | Project-wide configuration (9 keys) |
secret/common/rtis | RTiS base URL, timeout |
secret/common/gupri | GUPRI base URL, URI prefix |
secret/common/collibra | Collibra base URL |
secret/common/mrhub | MRHub base URL |
secret/common/mulesoft | Mulesoft base URL |
secret/common/servicenow | ServiceNow base URL |
secret/common/sinequa | Sinequa base URL |
secret/common/leanix | LeanIX base URL |
secret/common/data-marketplace | Data Marketplace base URL |
secret/common/github | GitHub configuration |
secret/common/caas | CaaS/Rancher connection details |
Environment-specific paths
Section titled “Environment-specific paths”| Path pattern | Contents |
|---|---|
secret/{env}/snowflake | Snowflake OAuth credentials (17 keys) |
secret/{env}/rtis | RTiS service account credentials |
secret/{env}/collibra | Mulesoft proxy credentials for Collibra |
secret/{env}/solace | Broker credentials per environment |
secret/{env}/caas | Namespace and cluster per environment |
secret/{env}/ci | CI/CD pipeline secrets |
CLI Modules
Section titled “CLI Modules”Vault is not consumed by a specific CLI module — it provides credentials for all modules:
| Consumer | Usage |
|---|---|
scripts/vault-env.sh | Loads all secrets into shell environment for local development |
| GitHub Actions | AppRole login in each workflow for CI/CD |
| All CLI modules | Read credentials from environment variables (loaded from Vault) |
Access Verification
Section titled “Access Verification”Script: scripts/access/check-vault.sh
Required tools: vault (HashiCorp CLI v1.20.4+ent)
Install: wget -qO- https://releases.hashicorp.com/vault/1.20.4+ent/vault_1.20.4+ent_linux_amd64.zip | funzip > /usr/local/bin/vault && chmod +x /usr/local/bin/vault
Checks performed:
- Token validity and lookup
- Read access to
secret/devandsecret/common - Read access to critical paths:
secret/dev/snowflake,secret/dev/rtis,secret/common/project - Write access test (creates/deletes
secret/dev/_access_check_test) - Token TTL display
Authentication
Section titled “Authentication”Interactive — OIDC (PingFederate)
Section titled “Interactive — OIDC (PingFederate)”export VAULT_ADDR=https://vault.service.roche.comexport VAULT_NAMESPACE=rdt-model-prd
vault login -method=oidc -address=https://vault.service.roche.com -namespace=rdt-model-prdThis opens a browser for PingFederate SSO. After completion, the token is cached locally.
CI/CD — AppRole
Section titled “CI/CD — AppRole”export VAULT_ADDR=https://vault.service.roche.comexport VAULT_NAMESPACE=rdt-model-prd
vault write auth/approle/login \ role_id="$VAULT_ROLE_ID" \ secret_id="$VAULT_SECRET_ID"Loading Secrets for Local Development
Section titled “Loading Secrets for Local Development”source scripts/vault-env.sh devThis script authenticates to Vault (OIDC if no token cached), reads all secret paths for the target environment, and exports them as shell environment variables.
Secret Lifecycle
Section titled “Secret Lifecycle”- Initial population: Vault paths are created during namespace setup; values are
TBDuntil the corresponding access task resolves - Credential rotation: Update the specific Vault path; no code changes needed
- New system onboarding: Add a
secret/common/{system}path with base config, addsecret/{env}/{system}for environment-specific credentials - CI/CD consumption: GitHub Actions workflow uses AppRole login, reads required paths, sets environment variables for the step
Deprecated
Section titled “Deprecated”- Old URL:
vault.service.infra.roche.com:8200— do not use, all references updated tovault.service.roche.com